Lessons in Cyber Leadership From a Trailblazing CISO 

The goal of information security is to not react to the change. It's to learn about change in advance. That’s one of the many lessons Meg Anderson, Former CISO, Principal Financial Group, has learned after 40 years in cybersecurity. It’s a lesson she’s instilled in her teams, along with the power of saying no, the vital importance of developing a pipeline, and why cyber leaders need business leaders’ trust. Those lessons will help CISOs succeed, even as the cyber landscape changes.

Transcription (edited for clarity) 

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to FS-ISAC's podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Corporate Affairs Officer at FS-ISAC. Today's guest is Meg Anderson, a seasoned leader with nearly 40 years of experience at Principal Financial, including the last 17 as CISO. As she retires, we'll talk about the evolution of information security over the last several decades and the critical skills teams will need in the future. 

Elizabeth Heathfield: Thank you so much, Meg, for one last time doing a podcast with us. You’ve been such an amazing leader of the community all this time. And now you're approaching your retirement — 38 years at Principal and 17 as CISO. So how has your team and the needs of cybersecurity evolved over your time, especially from a skills perspective? What does your team need? How has that changed? 

Meg Anderson: Sure. I remember the early days of my career and I sort of jumped into the CISO role laterally from IT. So I myself was learning, but the team was very focused on perimeter defense and compliance. 

Now, compliance seems to be rolling back a little bit now with all the global complexity that that presents, but the team has really evolved from perimeter to cloud. The complexity is amazing — just what they've learned — and addition, the understanding of the business and how the business connects to security, how security connects to risk, all the things that go into making security related decisions. Whether that's policies and standards or doing business with a vendor, for example, have changed quite a bit. The evolution, looking back, has been remarkable. 

Heathfield: Yeah. I guess probably it's one of those things where you don't really recognize it, like when your kid's growing up, right? You don't necessarily recognize [growth] on a day to day until you look over that time. What kind of approaches have you taken to ensure that your team keeps up with the changing requirements of the department? 

Anderson: I think one thing is, is it my job to make sure that they keep up? Or are you hiring the right people who consider it their job to make sure the team has a lot of opportunities to engage outside of the company? Making sure they have time inside the company to engage in training and development that's offered across the technology community, as well as specific to security, has been very, important. 

Hiring interns and watching them grow and develop [is important]. And I will tell you, the interns that we get are remarkable. Brilliant. We used to talk about security not being taught in college. It is now. And they are coming out of school with great engineering skills and great risk management skills as well. That's, I would say, one approach or a couple of different approaches that we take. But we're always open to ideas from the team on what they might want to do to grow and develop as well. 

Heathfield: Do you have a different approach based on [seniority]? You just talked about the interns and getting the junior talent in the door and growing them. What about the more senior roles? How do you groom people up the stack? 

Anderson: That's a great question because as I look back on my career, I didn't always recognize when I was being groomed to be a more senior level leader in the company. And so with my senior team, I really help them through my experience, helping them understand stories. One example is talking with the board or you can pivot that to talking to a risk committee or an executive committee. The technical language is something that you have to make sure you are explaining or tamping down when you're talking to an audience like that. 

So I've done a fair amount of coaching, helping people with talking points for executive conversations — things like ‘don't use those acronyms, help them understand, put it in their language.’ And that's really a focus for senior-level team members. 

Heathfield: Speaking of that, what has been your approach and how has it evolved into really building a leadership team around you? Do you have them present to the boards? Do have them present to the committees? Talk about that specific piece of it. 

Anderson: Sure. And some of that is just, quite frankly, delegation. So early in my career, I realized I cannot present to all these different groups and be the person in the room talking about security. And so about 10 years or so ago, we created a business information security officer [BISO] model. I might have talked to you about that before. It's something I'm really proud of and it's worked really well for us. So those business information security officers are assigned to each business unit and they really understand what's going on in the business, what's the business strategy, how does technology play into that. What are we doing from a security point of view that might impact the business either in a positive or a negative way? How do we use that two-way feedback loop and make sure our program is really supporting the business the way it needs to? 

So that's part of my leadership team, those business information security officers. The other part of my leadership team are what I would call functional heads — head of GRC, cyber defense, identity access management, security engineering, data protection, those sorts of things. And those are three distinctly different areas. Engineering focuses on security technology, cyber defense focuses on threat intel, the SOC [Security Operations Center] and software securities, vulnerability management, and then GRC. 
So those areas take different focus and delegation. Cyber defense, for example, is not my background so that's the area I'm probably most curious about, I would say. I ask a lot of questions, learn, and then help them understand how what they do impacts the business as well, because their role is very, very important. 

Heathfield: You talked about the different functions and the BISOs. From a personality perspective, how do you ensure that your leadership team complements each other, and how do you cultivate the skills to make sure that it builds into a cohesive whole?

Anderson: Personality is an interesting question. One thing that we've done recently and we have done in the past is, assessment. There's lots of different assessments that you can choose from.  I won't mention the one that we've done, but it served to help people understand each other and help you understand your colleague when they're under stress, how they might react. That helps you know how you might approach them when you see them reacting like that. 

I myself have done that with my peer group and leadership team. So I understand how that can be used. You can flip back and say, ‘OK, when this person's under stress, they are going to shrink back from participating in a conversation. So how do I recognize that behavior and then get them to step back up?’ Having that transparency — ‘this is how you behave, this is how I behave’ — how we all bring different strengths and weaknesses to the team, and recognizing which ones are at play are really important. And also just being vulnerable too. ‘Hey, when I'm stressed out, my face might get red. I might raise my voice. It's my stress behavior. Call me on it.’ That sort of thing. 

Heathfield: I think it's probably quite a team building, bonding exercise. 

Anderson: Usually when we do those assessments, it's followed by something sort of fun and a little bit more lightweight. 

Heathfield: So what roadblocks have you faced as you've shepherded your team along this journey, and how have you overcome them? 

Anderson: Security is a business enabler and helping the business understand that throughout my career has been a little bit of a roadblock. Some people, not at just my company, in general, see the security team on islands doing security things, that security things are important. So for me, how I've overcome that, is always repeating the message: we're not doing security for security’s sake. We're not doing it because we have to follow a rule book. We are doing it for our customers and our investors. 

And that's so true. You think about all the things that we do, that customers ask us about, right? They want to know how strong your security program is. They're trusting us with their data. They're trusting us with their life savings, in some cases. Investors, of course, want to make sure that they're investing money in a company that has a sound and secure program. 

So that's where I try and overcome that roadblock a little bit. It's not me, the security team, against you, the engineering team, or the business team, or whatever team it might be. We are here together to serve our customers and our investors, and we need to make sure that we're doing what they expect. 

Heathfield: How do you approach mentorship, both within your team, but also beyond? You've been a leader within FS-ISAC for many years. How do you approach it, and how would you recommend other CISOs think about the time that should be spent? Because it takes time, time you don't really have. 

Anderson: Yeah, I prioritize mentorship pretty high. Depending on which statistics that you believe, you can certainly read many about the jobs that are open in cybersecurity. So I truly believe it's up to us to bring up that pipeline of talent. As a female, of course, I want to make sure that includes females. Which, I think, is growing. I look around at the FS-ISAC Summits and even just rooms when we have team meetings and Zoom meetings, I see more and more females. So I think it's really important for other females to make sure they're engaging and participating. It's not directly mentoring, but making sure people can see you. 

Last year at the [FS-ISAC Summit] Women in Security Breakfast, or maybe it was two years ago, a young woman came up to me after the breakfast and gave me her card. She said something like, ‘you may not remember me, in fact, I'm sure you don't remember me, but I needed to tell you that I remembered you at my first Summit. You were up on stage. I don't know what you were talking about, but I saw that you were female and you were on stage.’ And I thought to myself, I can do this. And I was just super touched, but she's one person who told one person. There has got to be dozens or hundreds or thousands of women out there that see women on the stage making that first presentation in front of their peers. That matters. I think that's incredibly important. 

Otherwise, I have a ton of people who from time to time will reach out [and say] ‘I’d love to talk to you. I'm a woman in security. I want to transition to a security job.’ We also have formal mentorship program at my company, at Principal Financial Group. Participating in that also helps. 

The other part of that, internally, [which] is selfish, is that when I participate in the mentoring program, that means somebody else is going to learn about security and have a little bit of an inside view of what we do and why we do it. And then they can spread the word. 

Heathfield: And that helps with the business challenge that we were talking about before. How has your leadership style evolved? We talked about the personality test kind of thing, but more specifically, how has your leadership style evolved and how do you see it? How has it made you an effective CISO? 

Anderson: I would say it's evolved a lot. Probably because I jumped into this role not knowing a lot. There was a lot of imposter syndrome or insecurity, or just a lot I didn't know. So I learned a lot from my team. I found the people I could trust to give me subject matter expertise, work through problems with them, challenges with them. And it was very collaborative. Principle is a very collaborative company to begin with. That's what was modeled to me and that's how my leadership style came out. 

I would say collaboration hasn't changed over the years. What's probably changed is less consensus. So now that I have a better understanding, have those people I can trust, let's make the decision. Speed matters now. We don't have the time to make sure everybody's voice is in the room for every single decision. So trying to figure that out. Also just being able to say no. Saying no is part of the job. You don't have to say it very often. And I think it's really important that you don't say it very often. Because if you are the person always saying no, or even saying it often —

Heathfield: You become the “no CISO.”

Anderson: Yeah, it's more of, wow, when Meg says no, mean, she really means it. It matters. We better not do that. We better adjust. Because we usually partner, work together, find a great solution that's secure enough and move forward. But if I have to say no, It's for a good reason. 

Heathfield: Do you have any advice for aspiring CISOs in terms of this? Because of course you gain confidence over the years. So what advice would you give to people who would like to be in your position in a couple of years in terms of cultivating your leadership style? 

Anderson: From a leadership point of view, learn the business. Understand the leaders in your company. Make time to meet them before something bad happens. I think that's very, very important to earn trust. The team is not here to cause problems or get in the way. We want to make sure we're proactive. Meet people as they join your company, as they change roles, make sure you know who they are because you just don't want to be in a situation where you have to deliver some bad news or there's some sort of challenge and you're meeting them for the first time. That would be my number one thing. It's about the people. 

What I'm thinking about as I hand off to somebody new is that they're certainly going to come in and make some changes. And that's great. They're going to bring a different perspective. So be open to those perspectives. Understand where this worked for now, but we're going to try something new. Just the whole ability to adapt to new things. And throughout my career, of course, I've also reported to different people. My leader retired five or six years ago and I have a new leader. So that's also super important to understand — where does your leader fall in the whole scope of risk appetite? Or how do they feel about how security supports the business? 

Heathfield: So speaking of that, given all the changes that we're seeing — with emerging technologies, the changing regulatory landscape, the changing geopolitical landscape — what do you think are the skill sets that information security teams are going to need? And how should CISOs think about investing in those now to grow that pipeline so that they can adapt as those changes come? 

Anderson: Yeah, the speed of change in information security is phenomenal. So obviously, I have to say it — AI, right?

Heathfield: I still can't get through one podcast without saying AI.

Anderson:  Every member of the team probably should be experimenting with it if they haven't already. They should be using it in their daily work to see ‘how can I leverage Copilot’ or whatever type of AI you might be using in your company or something homegrown, to truly understand the power it's going to bring. And also look beyond AI to what's next. Always be looking forward. I think that's really important because, like I said, things change. And our goal in information security is to not react to the change. It's to learn about it in advance, think about how it applies to our business, and then proactively think about, how are we going to approach that from a security point of view? 

Heathfield: When there's so much happening on a day-to-day basis, how do you ensure that your teams get the time and space to do that proactive learning and develop the skill sets that are coming? When they obviously have quite a lot that they do need to react to on a day to day? 

Anderson: Capacity is an issue, right? Everybody's got more work than can possibly get done in a day. So we will help people with time management skills should they need it or ask for help there. We also are looking at how do we say no? How do we say ‘we can't do that now, we have to do that later’? How do we say ‘this is more important and I have to stop this work’? So we have quite a bit of conversation about that right now because — well, I've been through times in my career where I didn't feel like I could say no. You end up, you know, eating, sleeping, and breathing information security. And in the end, that's not good for morale, it's not good for your brain. You just really need that break. 

So we are definitely very intentional about talking about workload, making sure we're balancing that. It doesn't always work. Some people are just wired differently than others, and that's okay. But as long as the leader's having that conversation. Some people will say, ‘hey, I'm not going to respond to Teams chats on the weekends unless something's on fire.’ That's great. Or some people might say, ‘I'm still going do it because I have to write it down.’ Now you can do a lot of schedule-send and things like that to avoid it. But people need to make time for their own development. And if they plan it, talk to their leader, like, ‘hey, this is my plan for my development. Here's how I think I'm going to go after it,’ they can have that conversation. Now, sometimes things will get in the way. But just being very open about it and transparent, I think, is super helpful.

Heathfield: Any other advice you'd like to give to viewers in the community as a departing CISO, at least for now?

Anderson: You know what? This has been a fantastic career for me. I never really knew what I was jumping into when I jumped 17 years ago. My idea of the scope of information security was quite a bit smaller. Now it's grown a ton over the 17 years, but I have always had fun as part of my job Every single day wasn't fun, but I always have told my leader, I'm still having fun. So I do think if you hop into information security, if you hop into a CISO role, and you find you're not enjoying it and you find you're not having fun, I think it's time to rethink whether or not that's the career for you.

But I know when I first became a CISO I was introduced to an ex-CISO and what he said is, this is the worst job I ever had. It sucked the life out of me,’ or something like that. And I thought, what am I doing? Like, what am I doing? This profession might actually be very, very high stress and a bad fit for me. But I stuck to it and so glad I did. 

Heathfield: Well, I have to say, in my experience of you as a board member of FS-ISAC, you've always made it really look so easy. I just wanted to thank you because I've always noticed it and you make it look effortless. So thank you so much for doing this now and also for all of your service to FS-ISAC over the years. 

Anderson: Sure. Thank you for having me, and best of luck.